There's a difference. One happens on a daily basis. The other might happen a time or two each each year. A risk assessment, said Finney, sounds like something that "has a beginning and an end, and it doesn't."

Added Ed Ricks, president of information services and CIO at South Carolina's Beaufort Memorial Hospital: "If it does have an end, it's the day you get fired because you're not paying attention."

Security risk assessments are a fundamental part of keeping compliant with HIPAA and HITECH regulations – not to mention meeting Stage 1 meaningful use – but they have been problematic for many providers.

"If you look at the numbers, you see they're pretty low," HIMSS Senior Director of Privacy and Security Lisa Gallagher told Healthcare IT News earlier this year. "We have organizations trying to meet meaningful use Stage 1, and they're calling me and saying, 'We can meet all of the requirements of Stage 1, except the risk analysis requirement.'"

Sometimes a lack of resources is the problem. Often, it's a lack of clarity: Providers – whether their hospitals or physician practices – don't know know just what to do, what will bring them into compliance.

The Department of Health and Human Services has never quite said plainly that "If you do the following, you are compliant," said Gallagher in March. "They said, 'Do a risk assessment, document it and make sure you mitigate any findings that you have.' But there's no standard for what is minimum to be compliant. And that's causing the industry a lot of stress."

A simple audit – taking the HIPAA security rule and ensuring certain requirements are being met – "is not really a risk assessment," said Finney.

Instead, it requires a much more holistic approach to the organization – focusing on "people, process and technology" – that reviews and redresses shortcomings and vulnerabilities in all three areas.

"You have to document what you do," she added. "What did you do to remediate it?"

The HIPAA security rule "has been around for a long time now," Ricks pointed out. People are paying more attention to it now, "trying to check a box for meaningful use."

But really, he said, it's just a "smart business practice." Joking about the specter of a catastrophic breach, he added: "I don't think I would look good in an orange jumpsuit."

Later in the day, Healthcare IT News Editor Bernie Monegain sat down for an on-stage interview with the chief enforcer of the HIPAA privacy rule, Leon Rodriguez, director of HHS' Office of Civil Rights (OCR).

Asked when we will finally see the omnibus Final HIPAA Privacy and Security Rule, Rodriguez said only that "We, like you, are eagerly awaiting its issuance."

In the meantime, he said, OCR has been focused on transforming its organizational culture "to an enforcement oriented culture"

Until three or so years ago, he said, the agency's strategy was focused on "specific investigations into specific incidents."

Since HITECH, however, the mandate has been to do something far broader in focus, said Rodriguez. "We have moved into an area of more assertive enforcement."

There have been – and will continue to be – "more monetary settlements," be they from physician practices, hospitals, health plans or state social services agencies.

"Everyone of those is a message to the rest of the industry," he said.

Still, OCR is committed to "doing enforcement in a balanced way that is coupled with education," said Rodriguez.

With experience both as a former prosecutor and as a counsel for healthcare providers, he says he sees these issues from all sides. "Enforcement does breed compliance," said Rodriguez. "But enforcement also needs to be mindful of business realties."

To the question of why risk assessments are so difficult for so many providers, Rodriguez admitted that many larger organizations have experience, having learned the hard way of their vulnerabilities "because they had experience with fraud and abuse."

For other, perhaps smaller, providers, there's always the question of where to direct management attention and resources. "There has been some real progress made, but there's still a long way to go," he said.

For his part, Rodriguez said OCR's workload has quintupled in the years since the HITECH privacy rule came along.

The threats are manifold, he said – "theft, loss and unauthorized disclosure" are the biggest ones. Hacking? Not as much. That's just one reason why, "in addition to technological safeguards," providers need to focus on administrative and physical safeguards."

Rodriguez noted that, as part of OCRs moves toward a culture of enforcement and education, it has been moving away from "breach porn" – splashy press releases about troves of paper records found in a hospital's dumpster, say – and more toward an assiduous effort of ensuring that organizations nationwide "are engaging in the process."

It's "a lot nerdier, but that's what's really going to make all the difference in the long-run," he said. "We're focusing on the roadmap of compliance."

Enforcement is now a "fact of life," said Rodriguez. "It is having a beneficial effect on compliance." As such, "The number of monetary enforcement cases will continue to grow."

Still, he said, "We are not missing opportunities to get out and educate the industry."

OCR is cognizant that "bad things will happen, breaches will happen," he said.

That's why, "You will not hear me, except in quotations, use the phrase the Wall of Shame," said Rodriguez, referring to OCR's infamous list of large-scaled breaches.

Shaming "is not the purpose of the breach notification program," he said. Fostering a culture of privacy and security is. "At the end of the day it comes down to leadership: Owning compliance issues and doing so consistently."

Learn how the University of Pennsylvania’s Health System transformed its information system via digitization. What started as an intention to reduce the paper load generated by a single patient visit, turned into a comprehensive overhaul of the hospital’s medical and financial records. The end result? Dramatically increased efficiencies across all departments. Learn More

Healthcare financial accounts are becoming the first line in consumer-driven healthcare interaction. Health plans that don't offer health spending accounts are missing out on the critical early consumer interaction that drives loyalty. Learn about key trends and important changes in health spending accounts and health plan administration, and find out how health plans and TPAs scope and implement the right solutions for themselves and their customers. Learn More

The explosion of mobile health and advances in medical technology has been accompanied by a parallel increase in acute-care complexity and coordination challenges. Today, test results, x-rays and even snapshots of wounds can be shared among clinicians in less time than it takes to go from one hospital floor to another, and patients are being treated by an increasing array of specialists – thanks to the flexibility of mobile health technology. Learn More

Health information exchanges (HIEs) have tremendous potential value for measuring population health and promoting health improvement. Hixny, a RHIO with high HIE adoption, School of Public Health, University at Albany and the New York State Department of Health conducted a pilot project to evaluate this potential for achieving goals for hypertension control in the Million Hearts Initiative. This presentation will report on results. Learn More

Memorial Hermann's expansion into the health insurance business is a key component to realizing its new vision to "advance health." Hear how this health system overcame challenges and took advantage of opportunities on its journey to develop value-added health plans and employer solutions. Learn More

Join Hospital Physician Partners’ CIO, Data Architect, and Senior BI Analyst as they take you through a journey of their rapid analytics deployment on the Microsoft BI Platform with Pyramid Analytics, allowing them to turn "mountains of data" into "insights." Additionally, HPP implemented the solution so that the new insights would be delivered in an easy-to-use, and intuitive self-service framework for its business and care delivery personnel. Learn More

The point-of-care technology plays pivotal role in improving care, reducing cost and enhancing patient experience, such as eliminating unnecessary steps and re-work, and offloading selected testing and self-monitoring capabilities to home setting for patient self-management. This session provides an overview of trends and best practices in point-of-care technology, as well as challenges in applying point-of-care technology. Learn More

Video

2015 H.I.T. Men & Women Awards

The top three vote-getters across three categories will be honored at the H.I.T. Men & Women ceremony, sponsored by awards co-founder Emids, during the 2015 HIMSS Annual Conference & Exhibition at McCormick Place in Chicago.

As Joseph Kvedar, MD, has traveled the road of adoption for connected health for two decades, he has paid attention to the major sign posts -- defining moments when the dialogue changes in such a way that the whole organizational strategy changes with it. More

Until recently, technology-enabled efforts to improve population health relied heavily on the use of claims data alone. While there is evidence this approach has merit, there is also a new opportunity to take these efforts to the next level. More

Some pundits have suggested that ONC step aside and return all aspects of health IT policy and technology to the private sector. Others have suggested top-down command and control, including centralized governance to ensure interoperability. More

Hospitals and physician practices have been slow to adopt online platforms that allow them to connect with patients at home or on their mobile devices. However, patients will increasingly demand online connections with their providers. More